Russell Wangersky: Hackers could render us powerless

A group purporting to be members of the hacker collective Anonymous has issued warnings to Nova Scotia Power. How secure are the power grids?

Across the Atlantic provinces, we’re familiar with the occasional bout of unpredictable and violent weather. The question, sometimes, seems more like, “whose turn is it this time?” than anything else.

Russell Wangersky

Last winter, it was New Brunswick’s ice storm; in January of this year, more than 130,000 New Brunswick power users were without power. At the outset, it was thought to be the worst power outage in the province since — you guessed it — another weather event, post-tropical storm Arthur, when 60 per cent of the province’s electrical consumers, 195,000 customer accounts, lost power.

But by the time everything had been tallied up — and after some customers had been without power for more than a week — new estimates suggested the ice storm had had affected 200,000 customers in all.

Hurricane Juan and winter storm White Juan in Nova Scotia and Prince Edward Island, hurricane Igor in Newfoundland and Labrador; they are the sort of hardship bookmarks that many have in their memory. We’re trundling towards that time of the year again, at least as far as hurricanes are concerned.

But some storms don’t have seasons.

What if the storm was technology-based? In 2006, a fire in a telephone company facility in St. John’s saw Newfoundland and Labrador lose internet service province-wide, with banking machine, debit and credit systems all going black. The 911 system was also shut down, with all of the systems knocked out for more than five hours.

As technology intertwines and interconnects more and more, it’s not only the weather that presents a problem.

A lot of people are probably aware of computer ransomware — where individuals are locked out of their own computers by malicious hackers, and are forced to pay to get access to their own data and systems. Ransomware hacks have struck universities and hospitals — but what if the malware target was an entire electrical grid?

Industrial control system malware has actually twice hit the Ukrainian power grid; last year, two malware programs, Indestroyer and Crash Override, not only disrupted the Ukrainian system, but erased utility computer memories as well.

At the Black Hat 2017 cybersecurity conference in Las Vegas last week, there was considerable discussion about whether the system disruptions were a full-scale attack, or a test drive for something else — something that might be exceedingly hard to stop.

“It doesn’t rely on vulnerabilities, it doesn’t rely on specific systems being in place, it’s very much just operational knowledge of how to manipulate electric grids,” Robert M. Lee of cybersecurity firm Dragos said in an interview with the Information Security Media Group.

Grid operators are good at bringing their systems back up without their computer systems, so, Lee, pointed out, there’s no need for everyone to get an underground bunker ready, but said “this is something that will affect us all.”

“Our adversaries are learning from each other, they’re learning from themselves,” he warned.

The tools used in Ukraine can modified, he points out, to be applied to almost any major utility grid. The only thing slowing down computer hackers is learning the ins and outs of the industrial systems themselves.

What’s it mean?

Well, it goes back to an old message, one that the Red Cross talks about to anyone who will listen. The problem is, not enough of us do listen.

Be ready, the Red Cross says, to be completely on your own for a minimum of 72 hours in a major emergency. That means water, food — and even cash in small bills in case good old non-electronic cash is the only currency that’s usable.

Because you never know what kind of storm you’ll face.

Russell Wangersky’s column appears in more than 30 SaltWire newspapers and websites in Atlantic Canada. He can be reached at rwanger@thetelegram.com — Twitter: @wangersky.